Critical vulnerability in GitLab EE: arbitrary pipeline execution on branches (CVE-2024-9164)

ISGroup Cybersecurity

This vulnerability is due to improper restrictions on who can execute pipelines in GitLab EE. It allows unauthorized users to trigger pipelines on branches they do not control, which could result in unauthorized code execution or the exposure of sensitive data. GitLab is widely used for CI/CD in many organizations, making this a critical issue, especially in large-scale environments. Although there are currently no confirmed reports of active exploitation, the high CVSS score (9.6) indicates that it could be easily exploited if not patched. Given the popularity of GitLab EE, it is important for affected organizations to take immediate action to mitigate the risk.

ProductGitLab
Date2024-10-18 17:08:33
Information
  • Trending
  • Fix Available

Technical Summary

A critical vulnerability (CVE-2024-9164) in GitLab Enterprise Edition (EE) allows unauthorized users to execute pipelines on branches they should not have access to. This flaw can lead to the exposure of sensitive data and the manipulation of critical workflows. The vulnerability affects multiple versions of GitLab EE and has a high security impact, especially in environments where CI/CD pipelines are used. The issue has been resolved in the latest update, and organizations using affected versions should apply the patch immediately to prevent potential abuse.

Recommendations

Update to the latest version (17.2.9, 17.3.5, or 17.4.2) to mitigate this vulnerability.

[Callforaction-THREAT-Footer]